integrations

package
v0.1.0-beta.3.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 20, 2021 License: MIT Imports: 9 Imported by: 0

Documentation

Index

Constants

View Source
const (
	KubeX509   KubeIntegrationName = "x509"
	KubeBasic                      = "basic"
	KubeBearer                     = "bearer"
	KubeLocal                      = "local"
)

The supported kube auth mechanisms

Variables

View Source
var PorterClusterIntegrations = []PorterIntegration{
	PorterIntegration{
		AuthMechanism: "gcp",
		Category:      "cluster",
		Service:       GKE,
	},
	PorterIntegration{
		AuthMechanism: "aws",
		Category:      "cluster",
		Service:       EKS,
	},
	PorterIntegration{
		AuthMechanism: "kube",
		Category:      "cluster",
		Service:       Kube,
	},
}

PorterClusterIntegrations are the supported cluster integrations

View Source
var PorterGitRepoIntegrations = []PorterIntegration{
	PorterIntegration{
		AuthMechanism: "oauth",
		Category:      "repo",
		Service:       Github,
	},
}

PorterGitRepoIntegrations are the supported git repo integrations

View Source
var PorterHelmRepoIntegrations = []PorterIntegration{
	PorterIntegration{
		AuthMechanism: "basic",
		Category:      "helm",
		Service:       HelmRepo,
	},
	PorterIntegration{
		AuthMechanism: "gcp",
		Category:      "helm",
		Service:       GCS,
	},
	PorterIntegration{
		AuthMechanism: "aws",
		Category:      "helm",
		Service:       S3,
	},
}

PorterHelmRepoIntegrations are the supported helm repo integrations

View Source
var PorterRegistryIntegrations = []PorterIntegration{
	PorterIntegration{
		AuthMechanism: "gcp",
		Category:      "registry",
		Service:       GCR,
	},
	PorterIntegration{
		AuthMechanism: "aws",
		Category:      "registry",
		Service:       ECR,
	},
	PorterIntegration{
		AuthMechanism: "oauth",
		Category:      "registry",
		Service:       Docker,
	},
}

PorterRegistryIntegrations are the supported registry integrations

Functions

func GCPProjectIDFromJSON

func GCPProjectIDFromJSON(jsonData []byte) (string, error)

Types

type AWSIntegration

type AWSIntegration struct {
	gorm.Model

	// The id of the user that linked this auth mechanism
	UserID uint `json:"user_id"`

	// The project that this integration belongs to
	ProjectID uint `json:"project_id"`

	// The AWS arn this is integration is linked to
	AWSArn string `json:"aws_arn"`

	// The optional AWS region (required by some session configurations)
	AWSRegion string `json:"aws_region"`

	// The AWS cluster ID
	// See https://github.com/kubernetes-sigs/aws-iam-authenticator#what-is-a-cluster-id
	AWSClusterID []byte `json:"aws_cluster_id"`

	// The AWS access key for this IAM user
	AWSAccessKeyID []byte `json:"aws_access_key_id"`

	// The AWS secret key for this IAM user
	AWSSecretAccessKey []byte `json:"aws_secret_access_key"`

	// An optional session token, if the user is assuming a role
	AWSSessionToken []byte `json:"aws_session_token"`
}

AWSIntegration is an auth mechanism that uses a AWS IAM user to authenticate

func (*AWSIntegration) Externalize

func (a *AWSIntegration) Externalize() *AWSIntegrationExternal

Externalize generates an external KubeIntegration to be shared over REST

func (*AWSIntegration) GetBearerToken

func (a *AWSIntegration) GetBearerToken(
	getTokenCache GetTokenCacheFunc,
	setTokenCache SetTokenCacheFunc,
) (string, error)

GetBearerToken retrieves a bearer token for an AWS account

func (*AWSIntegration) GetSession

func (a *AWSIntegration) GetSession() (*session.Session, error)

GetSession retrieves an AWS session to use based on the access key and secret access key

func (*AWSIntegration) PopulateAWSArn

func (a *AWSIntegration) PopulateAWSArn() error

PopulateAWSArn uses the access key/secret to get the caller identity, and attaches it to the AWS integration

func (*AWSIntegration) ToProjectIntegration

func (a *AWSIntegration) ToProjectIntegration(
	category string,
	service IntegrationService,
) *ProjectIntegration

ToProjectIntegration converts an aws integration to a project integration

type AWSIntegrationExternal

type AWSIntegrationExternal struct {
	ID uint `json:"id"`

	// The id of the user that linked this auth mechanism
	UserID uint `json:"user_id"`

	// The project that this integration belongs to
	ProjectID uint `json:"project_id"`

	// The AWS arn this is integration is linked to
	AWSArn string `json:"aws_arn"`
}

AWSIntegrationExternal is a AWSIntegration to be shared over REST

type BasicIntegration

type BasicIntegration struct {
	gorm.Model

	// The id of the user that linked this auth mechanism
	UserID uint `json:"user_id"`

	// The project that this integration belongs to
	ProjectID uint `json:"project_id"`

	// Username/Password for basic authentication to a cluster
	Username []byte `json:"username,omitempty"`
	Password []byte `json:"password,omitempty"`
}

BasicIntegration represents a basic auth mechanism via username/password

func (*BasicIntegration) Externalize

func (b *BasicIntegration) Externalize() *BasicIntegrationExternal

Externalize generates an external BasicIntegration to be shared over REST

func (*BasicIntegration) ToProjectIntegration

func (b *BasicIntegration) ToProjectIntegration(
	category string,
	service IntegrationService,
) *ProjectIntegration

ToProjectIntegration converts an oauth integration to a project integration

type BasicIntegrationExternal

type BasicIntegrationExternal struct {
	ID uint `json:"id"`

	// The id of the user that linked this auth mechanism
	UserID uint `json:"user_id"`

	// The project that this integration belongs to
	ProjectID uint `json:"project_id"`
}

BasicIntegrationExternal is a BasicIntegration to be shared over REST

type ClusterTokenCache

type ClusterTokenCache struct {
	TokenCache

	ClusterID uint `json:"cluster_id"`
}

ClusterTokenCache is a token cache that clusters can use; a foreign key constraint between a Cluster and ClusterTokenCache is created

type GCPIntegration

type GCPIntegration struct {
	gorm.Model

	// The id of the user that linked this auth mechanism
	UserID uint `json:"user_id"`

	// The project that this integration belongs to
	ProjectID uint `json:"project_id"`

	// The GCP project id where the service account for this auth mechanism persists
	GCPProjectID string `json:"gcp_project_id"`

	// The GCP user email that linked this service account
	GCPUserEmail string `json:"gcp-user-email"`

	// The GCP region, which may or may not be used by the integration
	GCPRegion string `json:"gcp_region"`

	// KeyData for a service account for GCP connectors
	GCPKeyData []byte `json:"gcp_key_data"`
}

GCPIntegration is an auth mechanism that uses a GCP service account to authenticate

func (*GCPIntegration) Externalize

func (g *GCPIntegration) Externalize() *GCPIntegrationExternal

Externalize generates an external KubeIntegration to be shared over REST

func (*GCPIntegration) GetBearerToken

func (g *GCPIntegration) GetBearerToken(
	getTokenCache GetTokenCacheFunc,
	setTokenCache SetTokenCacheFunc,
	scopes ...string,
) (string, error)

GetBearerToken retrieves a bearer token for a GCP account

func (*GCPIntegration) ToProjectIntegration

func (g *GCPIntegration) ToProjectIntegration(
	category string,
	service IntegrationService,
) *ProjectIntegration

ToProjectIntegration converts a gcp integration to a project integration

type GCPIntegrationExternal

type GCPIntegrationExternal struct {
	ID uint `json:"id"`

	// The id of the user that linked this auth mechanism
	UserID uint `json:"user_id"`

	// The project that this integration belongs to
	ProjectID uint `json:"project_id"`

	// The GCP project id where the service account for this auth mechanism persists
	GCPProjectID string `json:"gcp-project-id"`

	// The GCP user email that linked this service account
	GCPUserEmail string `json:"gcp-user-email"`
}

GCPIntegrationExternal is a GCPIntegration to be shared over REST

type GetTokenCacheFunc

type GetTokenCacheFunc func() (tok *TokenCache, err error)

GetTokenCacheFunc is a function that retrieves the token and expiry time from the db

type HelmRepoTokenCache

type HelmRepoTokenCache struct {
	TokenCache

	HelmRepoID uint `json:"helm_repo_id"`
}

HelmRepoTokenCache is a token cache that helm repos can use; a foreign key constraint between a HelmRepo and HelmRepoTokenCache is created

type IntegrationService

type IntegrationService string

IntegrationService is the name of a third-party service

const (
	GKE      IntegrationService = "gke"
	GCS      IntegrationService = "gcs"
	S3       IntegrationService = "s3"
	HelmRepo IntegrationService = "helm"
	EKS      IntegrationService = "eks"
	Kube     IntegrationService = "kube"
	GCR      IntegrationService = "gcr"
	ECR      IntegrationService = "ecr"
	DOCR     IntegrationService = "docr"
	Github   IntegrationService = "github"
	Docker   IntegrationService = "docker"
)

The list of supported third-party services

type KubeIntegration

type KubeIntegration struct {
	gorm.Model

	// The name of the auth mechanism
	Mechanism KubeIntegrationName `json:"mechanism"`

	// The id of the user that linked this auth mechanism
	UserID uint `json:"user_id"`

	// The project that this integration belongs to
	ProjectID uint `json:"project_id"`

	// Certificate data is used by x509 auth mechanisms over TLS
	ClientCertificateData []byte `json:"client-certificate-data,omitempty"`
	ClientKeyData         []byte `json:"client-key-data,omitempty"`

	// Token is used for bearer-token auth mechanisms
	Token []byte `json:"token,omitempty"`

	// Username/Password for basic authentication to a cluster
	Username []byte `json:"username,omitempty"`
	Password []byte `json:"password,omitempty"`

	// The raw kubeconfig, used by local auth mechanisms
	Kubeconfig []byte `json:"kubeconfig"`
}

KubeIntegration represents the kube-native auth mechanisms: using x509 certs, basic (username/password), bearer tokens, or local (using local kubeconfig)

func (*KubeIntegration) Externalize

func (k *KubeIntegration) Externalize() *KubeIntegrationExternal

Externalize generates an external KubeIntegration to be shared over REST

func (*KubeIntegration) ToProjectIntegration

func (k *KubeIntegration) ToProjectIntegration(
	category string,
	service IntegrationService,
) *ProjectIntegration

ToProjectIntegration converts a gcp integration to a project integration

type KubeIntegrationExternal

type KubeIntegrationExternal struct {
	ID uint `json:"id"`

	// The name of the auth mechanism
	Mechanism KubeIntegrationName `json:"mechanism"`

	// The id of the user that linked this auth mechanism
	UserID uint `json:"user_id"`

	// The project that this integration belongs to
	ProjectID uint `json:"project_id"`
}

KubeIntegrationExternal is a KubeIntegration to be shared over REST

type KubeIntegrationName

type KubeIntegrationName string

KubeIntegrationName is the name of a kube auth mechanism

type OAuthIntegration

type OAuthIntegration struct {
	gorm.Model

	// The name of the auth mechanism
	Client OAuthIntegrationClient `json:"client"`

	// The id of the user that linked this auth mechanism
	UserID uint `json:"user_id"`

	// The project that this integration belongs to
	ProjectID uint `json:"project_id"`

	// The ID issued to the client
	ClientID []byte `json:"client-id"`

	// The end-users's access token
	AccessToken []byte `json:"access-token"`

	// The end-user's refresh token
	RefreshToken []byte `json:"refresh-token"`
}

OAuthIntegration is an auth mechanism that uses oauth https://tools.ietf.org/html/rfc6749

func (*OAuthIntegration) Externalize

func (o *OAuthIntegration) Externalize() *OAuthIntegrationExternal

Externalize generates an external KubeIntegration to be shared over REST

func (*OAuthIntegration) ToProjectIntegration

func (o *OAuthIntegration) ToProjectIntegration(
	category string,
	service IntegrationService,
) *ProjectIntegration

ToProjectIntegration converts an oauth integration to a project integration

type OAuthIntegrationClient

type OAuthIntegrationClient string

OAuthIntegrationClient is the name of an OAuth mechanism client

const (
	OAuthGithub       OAuthIntegrationClient = "github"
	OAuthDigitalOcean OAuthIntegrationClient = "do"
)

The supported oauth mechanism clients

type OAuthIntegrationExternal

type OAuthIntegrationExternal struct {
	ID uint `json:"id"`

	// The name of the auth mechanism
	Client OAuthIntegrationClient `json:"client"`

	// The id of the user that linked this auth mechanism
	UserID uint `json:"user_id"`

	// The project that this integration belongs to
	ProjectID uint `json:"project_id"`
}

OAuthIntegrationExternal is an OAuthIntegration to be shared over REST

type OIDCIntegration

type OIDCIntegration struct {
	gorm.Model

	// The name of the auth mechanism
	Client OIDCIntegrationClient `json:"client"`

	// The id of the user that linked this auth mechanism
	UserID uint `json:"user_id"`

	// The project that this integration belongs to
	ProjectID uint `json:"project_id"`

	// The "Issuer Identifier" of the OIDC spec (16.15)
	IssuerURL []byte `json:"idp-issuer-url"`

	// The ID issued to the Relying Party
	ClientID []byte `json:"client-id"`

	// The secret issued to the Relying Party
	//
	// This is present because it used to be a required field in a kubeconfig.
	// However, because the kube apiserver acts as a Relying Party, the client
	// secret is not necessary.
	ClientSecret []byte `json:"client-secret"`

	// The CA data -- certificate check must be performed (16.17)
	CertificateAuthorityData []byte `json:"idp-certificate-authority-data"`

	// The user's JWT id token
	IDToken []byte `json:"id-token"`

	// The user's refresh token
	RefreshToken []byte `json:"refresh-token"`
}

OIDCIntegration is an auth mechanism that uses oidc. Spec: https://openid.net/specs/openid-connect-core-1_0.html

func (*OIDCIntegration) Externalize

func (o *OIDCIntegration) Externalize() *OIDCIntegrationExternal

Externalize generates an external KubeIntegration to be shared over REST

func (*OIDCIntegration) ToProjectIntegration

func (o *OIDCIntegration) ToProjectIntegration(
	category string,
	service IntegrationService,
) *ProjectIntegration

ToProjectIntegration converts a gcp integration to a project integration

type OIDCIntegrationClient

type OIDCIntegrationClient string

OIDCIntegrationClient is the name of an OIDC auth mechanism client

const (
	OIDCKube OIDCIntegrationClient = "kube"
)

The supported OIDC auth mechanism clients

type OIDCIntegrationExternal

type OIDCIntegrationExternal struct {
	ID uint `json:"id"`

	// The name of the auth mechanism
	Client OIDCIntegrationClient `json:"client"`

	// The id of the user that linked this auth mechanism
	UserID uint `json:"user_id"`

	// The project that this integration belongs to
	ProjectID uint `json:"project_id"`
}

OIDCIntegrationExternal is a OIDCIntegration to be shared over REST

type PorterIntegration

type PorterIntegration struct {
	AuthMechanism string             `json:"auth_mechanism"`
	Category      string             `json:"category"`
	Service       IntegrationService `json:"service"`
}

PorterIntegration is a supported integration service, specifying an auth mechanism and the category of integration. A single service can have multiple auth mechanisms. For example, a GKE integration can have both an "oauth" mechanism and a "gcp" mechanism:

PorterIntegration{
	AuthMechanism: "oauth",
	Category: "cluster",
	Service: GKE,
}
PorterIntegration{
	AuthMechanism: "gcp",
	Category: "cluster",
	Service: GKE,
}

type ProjectIntegration

type ProjectIntegration struct {
	ID        uint `json:"id"`
	ProjectID uint `json:"project_id"`

	AuthMechanism string             `json:"auth_mechanism"`
	Category      string             `json:"category"`
	Service       IntegrationService `json:"service"`
}

ProjectIntegration is the top-level integration object for various integrations. Although the integrations are stored in the DB by auth mechanism, the integrations are cast to a ProjectIntegration for consolidation before passing on to the client.

type RegTokenCache

type RegTokenCache struct {
	TokenCache

	RegistryID uint `json:"registry_id"`
}

RegTokenCache stores a token and an expiration for the JWT token for a Docker registry. This will never be shared over REST, so no need to externalize.

type SetTokenCacheFunc

type SetTokenCacheFunc func(token string, expiry time.Time) error

SetTokenCacheFunc is a function that updates the token cache with a new token and expiry time

type TokenCache

type TokenCache struct {
	gorm.Model

	Expiry time.Time `json:"expiry,omitempty"`

	Token []byte `json:"access_token"`
}

TokenCache stores a token and an expiration for the token for a service account. This will never be shared over REST, so no need to externalize.

func (*TokenCache) IsExpired

func (t *TokenCache) IsExpired() bool

IsExpired returns true if a token is expired, false otherwise

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL